On Thu, Aug 27, 2009 at 12:46:51PM +0200, Laurent Rineau wrote: > On my F11 x64 machine, this morning, I have launch that command: > > sudo semanage fcontext -a -t textrel_shlib_t > /opt/intel/Compiler/11.0/081/mkl/lib/em64t/libmkl_core.so > > After that, my X11 server freezed. I managed to login on the machine with ssh, > but sudo got permission denied. :-( Ouch > > Then I have done: > - A soft shutdown with the power button. That shutdown was successful. > - Power on the machine. Boot the default kernel. Lots of AVC on the console. > X11 and mingetty unable to launch. > - Reboot with "enforcing=0 autorelabel=1 single". Relabelling seems ok. > - Reboot (with no selinux boot parameters). X11 and GDM ok. But just after I > tried to login, a popup told me something about permission denied on $HOME, > using HOME=/. Obviously, that failed! > - Reboot with enforcing=0. > > Then I have managed to understand that the problem is that almost all my files > in $HOME are labeled: "system_u:object_r:default_t:s0" (actually all my $HOME > but files with customized context). > > Another problem: unconfined_u has disappeared! > $ id -Z > user_u:user_r:user_t:s0 > > $ sudo semanage user -l > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range SELinux > Roles > > guest_u user s0 s0 guest_r > root user s0 s0-s0:c0.c1023 staff_r > sysadm_r system_r unconfined_r > staff_u user s0 s0-s0:c0.c1023 staff_r > sysadm_r system_r > sysadm_u user s0 s0-s0:c0.c1023 sysadm_r > system_u user s0 s0-s0:c0.c1023 system_r > user_u user s0 s0 user_r > xguest_u user s0 s0 xguest_r > > > > I have search on the web for a solution, but the only solutions proposed where > /.autorelabel! :-( > > That is why I am looking for a clue here... > > > The machine is under F11, with updates. My configuration: > > $ rpm -qa \*selinux\* \*semana\* | sort > libselinux-2.0.80-1.fc11.i586 > libselinux-2.0.80-1.fc11.x86_64 > libselinux-debuginfo-2.0.80-1.fc11.x86_64 > libselinux-devel-2.0.80-1.fc11.x86_64 > libselinux-python-2.0.80-1.fc11.x86_64 > libselinux-utils-2.0.80-1.fc11.x86_64 > libsemanage-2.0.31-4.fc11.x86_64 > libsemanage-python-2.0.31-4.fc11.x86_64 > selinux-policy-3.6.12-78.fc11.noarch > selinux-policy-targeted-3.6.12-78.fc11.noarch > > $ uname -a > Linux matisse.localdomain 2.6.29.6-217.2.8.fc11.x86_64 #1 SMP Sat Aug 15 > 01:06:26 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux > > $ sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 24 > Policy from config file: targeted > > (But the machine was in enforcing mode at the beginning of the story.) > I'd probably reinstall selinux-policy mv /etc/selinux/targeted /etc/selinux/targeted.backup yum remove selinux-policy* yum install selinux-policy selinux-policy-targeted touch /.autorelabel && reboot > -- > Laurent Rineau > http://fedoraproject.org/wiki/LaurentRineau > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
pgpDPWagNUwE2.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
